summaryrefslogtreecommitdiffstats
path: root/openpgp/src/crypto/backend/cng/aead.rs
diff options
context:
space:
mode:
authorJustus Winter <justus@sequoia-pgp.org>2023-02-16 10:52:14 +0100
committerJustus Winter <justus@sequoia-pgp.org>2023-05-22 11:03:16 +0200
commit4bcaebc7515ed15bb403a312532e8870a781fb3a (patch)
tree2b2b57dc0c64d47a918c5bfe5fa1b6265291f637 /openpgp/src/crypto/backend/cng/aead.rs
parentd088cdb56f525beb1306a8145362a13e11704bf6 (diff)
openpgp: Implement GCM mode.
- The Galois/Counter mode for block ciphers is a FIPS-approved AEAD mode. It will be added to the upcoming OpenPGP standard so that we have a FIPS-compliant subset of OpenPGP.
Diffstat (limited to 'openpgp/src/crypto/backend/cng/aead.rs')
-rw-r--r--openpgp/src/crypto/backend/cng/aead.rs109
1 files changed, 101 insertions, 8 deletions
diff --git a/openpgp/src/crypto/backend/cng/aead.rs b/openpgp/src/crypto/backend/cng/aead.rs
index 9659812f..6ca59472 100644
--- a/openpgp/src/crypto/backend/cng/aead.rs
+++ b/openpgp/src/crypto/backend/cng/aead.rs
@@ -1,5 +1,5 @@
//! Implementation of AEAD using Windows CNG API.
-use std::cmp::Ordering;
+use std::cmp::{self, Ordering};
use crate::{Error, Result};
use crate::crypto::aead::{Aead, CipherOp};
@@ -8,8 +8,8 @@ use crate::seal;
use crate::types::{AEADAlgorithm, SymmetricAlgorithm};
use cipher::generic_array::{GenericArray, ArrayLength};
-use cipher::generic_array::typenum::{U16, U128, U192, U256};
-use cipher::Unsigned;
+use cipher::generic_array::typenum::{U12, U16, U128, U192, U256};
+use cipher::{BlockCipher, BlockEncrypt, BlockSizeUser, KeyInit, Unsigned};
use eax::online::{Eax, Encrypt, Decrypt};
use win_crypto_ng::symmetric::{BlockCipherKey, Aes};
@@ -106,19 +106,60 @@ impl AEADAlgorithm {
},
_ => Err(Error::UnsupportedSymmetricAlgorithm(sym_algo).into()),
},
- _ => Err(Error::UnsupportedAEADAlgorithm(self.clone()).into()),
+
+ AEADAlgorithm::OCB =>
+ Err(Error::UnsupportedAEADAlgorithm(*self).into()),
+
+ AEADAlgorithm::GCM => {
+ use aes_gcm::{AesGcm, Nonce};
+ match sym_algo {
+ SymmetricAlgorithm::AES128 => {
+ let nonce = Nonce::try_from_slice(nonce)?;
+ let cipher =
+ AesGcm::<BlockCipherKey<Aes, U128>, U12>::new_from_slice(key)?;
+ Ok(Box::new(Gcm { cipher, nonce: *nonce, aad: aad.to_vec() }))
+ },
+ SymmetricAlgorithm::AES192 => {
+ let nonce = Nonce::try_from_slice(nonce)?;
+ let cipher =
+ AesGcm::<BlockCipherKey<Aes, U192>, U12>::new_from_slice(key)?;
+ Ok(Box::new(Gcm { cipher, nonce: *nonce, aad: aad.to_vec() }))
+ },
+ SymmetricAlgorithm::AES256 => {
+ let nonce = Nonce::try_from_slice(nonce)?;
+ let cipher =
+ AesGcm::<BlockCipherKey<Aes, U256>, U12>::new_from_slice(key)?;
+ Ok(Box::new(Gcm { cipher, nonce: *nonce, aad: aad.to_vec() }))
+ },
+ | SymmetricAlgorithm::IDEA
+ | SymmetricAlgorithm::TripleDES
+ | SymmetricAlgorithm::CAST5
+ | SymmetricAlgorithm::Blowfish
+ | SymmetricAlgorithm::Twofish
+ | SymmetricAlgorithm::Camellia128
+ | SymmetricAlgorithm::Camellia192
+ | SymmetricAlgorithm::Camellia256
+ | SymmetricAlgorithm::Private(_)
+ | SymmetricAlgorithm::Unknown(_)
+ | SymmetricAlgorithm::Unencrypted =>
+ Err(Error::UnsupportedSymmetricAlgorithm(sym_algo).into()),
+ }
+ },
+
+ AEADAlgorithm::Private(_) | AEADAlgorithm::Unknown(_) =>
+ Err(Error::UnsupportedAEADAlgorithm(*self).into()),
}
}
}
-type EaxTagLen = U16;
+type TagLen = U16;
macro_rules! impl_aead {
($($type: ty),*) => {
$(
- impl Aead for Eax<$type, Encrypt, EaxTagLen> {
+ impl Aead for Eax<$type, Encrypt, TagLen> {
fn digest_size(&self) -> usize {
- EaxTagLen::USIZE
+ TagLen::USIZE
}
fn encrypt_seal(&mut self, dst: &mut [u8], src: &[u8]) -> Result<()> {
debug_assert_eq!(dst.len(), src.len() + self.digest_size());
@@ -139,7 +180,7 @@ macro_rules! impl_aead {
$(
impl Aead for Eax<$type, Decrypt> {
fn digest_size(&self) -> usize {
- EaxTagLen::USIZE
+ TagLen::USIZE
}
fn encrypt_seal(&mut self, _dst: &mut [u8], _src: &[u8]) -> Result<()> {
panic!("AEAD encryption called in the decryption context")
@@ -171,3 +212,55 @@ macro_rules! impl_aead {
}
impl_aead!(BlockCipherKey<Aes, U128>, BlockCipherKey<Aes, U192>, BlockCipherKey<Aes, U256>);
+
+struct Gcm<Cipher: BlockCipher + BlockSizeUser<BlockSize = U16> + BlockEncrypt> {
+ cipher: aes_gcm::AesGcm<Cipher, U12>,
+ nonce: GenericArray<u8, U12>,
+ aad: Vec<u8>,
+}
+
+impl<Cipher> Aead for Gcm<Cipher>
+where
+ Cipher: BlockCipher + BlockSizeUser<BlockSize = U16> + BlockEncrypt,
+{
+ fn digest_size(&self) -> usize {
+ TagLen::USIZE
+ }
+
+ fn encrypt_seal(&mut self, dst: &mut [u8], src: &[u8]) -> Result<()> {
+ debug_assert_eq!(dst.len(), src.len() + self.digest_size());
+ use aes_gcm::AeadInPlace;
+
+ let len = cmp::min(dst.len(), src.len());
+ dst[..len].copy_from_slice(&src[..len]);
+ let tag =
+ self.cipher.encrypt_in_place_detached(&self.nonce, &self.aad,
+ &mut dst[..len])?;
+ debug_assert_eq!(dst[len..].len(), tag.len());
+ let tag_len = cmp::min(dst[len..].len(), tag.len());
+ dst[len..len + tag_len].copy_from_slice(&tag[..tag_len]);
+ Ok(())
+ }
+
+ fn decrypt_verify(&mut self, dst: &mut [u8], src: &[u8]) -> Result<()> {
+ debug_assert_eq!(dst.len() + self.digest_size(), src.len());
+ use aes_gcm::AeadInPlace;
+
+ // Split src into ciphertext and digest.
+ let len = src.len().saturating_sub(self.digest_size());
+ let digest = &src[len..];
+ let src = &src[..len];
+
+ debug_assert_eq!(dst.len(), src.len());
+ let len = core::cmp::min(dst.len(), src.len());
+ dst[..len].copy_from_slice(&src[..len]);
+ self.cipher.decrypt_in_place_detached(&self.nonce, &self.aad, dst,
+ digest.try_into()?)?;
+ Ok(())
+ }
+}
+
+impl<'a, Cipher> seal::Sealed for Gcm<Cipher>
+where
+ Cipher: BlockCipher + BlockSizeUser<BlockSize = U16> + BlockEncrypt,
+{}
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-27 23:31:04 +0000